From e12d0820bb0beff44a087e25001a429a28ca9b1a Mon Sep 17 00:00:00 2001 From: Kunal Dawar Date: Tue, 22 Oct 2024 13:40:00 +0530 Subject: [PATCH 1/6] Added RL Scanner --- .github/workflows/rl-scanner.yml | 76 ++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 .github/workflows/rl-scanner.yml diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml new file mode 100644 index 00000000..9a50e72a --- /dev/null +++ b/.github/workflows/rl-scanner.yml @@ -0,0 +1,76 @@ +name: RL-Secure Workflow +run-name: rl-scanner-only + +on: + merge_group: + workflow_dispatch: + push: + branches: ["main"] + pull_request: + types: + - opened + - synchronize + +jobs: + checkout-build-scan-only: + runs-on: ubuntu-latest + + permissions: + pull-requests: write + id-token: write + + steps: + - uses: actions/checkout@v4 + + - name: Configure Python + uses: actions/setup-python@v5 + with: + python-version: "3.10" + + - name: Configure dependencies + run: | + pip install --user --upgrade pip + pip install --user pipx + pipx ensurepath + pipx install poetry==1.4.2 + pip install --upgrade pip + pip install boto3 requests + poetry config virtualenvs.in-project true + poetry install --with dev + poetry self add "poetry-dynamic-versioning[plugin]==1.1.1" + + - name: Build release + run: | + poetry build + + - name: Create tgz build artifact + run: | + tar -czvf auth0-python.tgz * + + - name: Get Artifact Version + id: get_version + run: echo "version=$(cat .version)" >> $GITHUB_ENV + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.PRODSEC_TOOLS_ARN }} + aws-region: us-east-1 + mask-aws-account-id: true + + - name: Run Reversing Labs Wrapper Scanner + env: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + WRAPPER_INDEX_URL: "https://${{ secrets.PRODSEC_TOOLS_USER }}:${{ secrets.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" + PYTHONUNBUFFERED: 1 + run: | + pip install rl-wrapper --index-url $WRAPPER_INDEX_URL && \ + rl-wrapper \ + --artifact "$(pwd)/auth0-python.tgz" \ + --name "${{ github.event.repository.name }}" \ + --version "${{ steps.get_version.outputs.version }}" \ + --repository "${{ github.repository }}" \ + --commit "${{ github.sha }}" \ + --build-env "github_action" From 0bcfe83849a32298baa77b6d9d62a86330203163 Mon Sep 17 00:00:00 2001 From: Kunal Dawar Date: Tue, 22 Oct 2024 13:46:44 +0530 Subject: [PATCH 2/6] Fix pipeline --- .github/workflows/rl-scanner.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 9a50e72a..f58163d4 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -13,6 +13,8 @@ on: jobs: checkout-build-scan-only: + if: github.event_name == 'workflow_dispatch' || + (github.event_name == 'pull_request' && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest permissions: @@ -21,6 +23,9 @@ jobs: steps: - uses: actions/checkout@v4 + with: + fetch-depth: 0 + fetch-tags: true - name: Configure Python uses: actions/setup-python@v5 From 90e403306e28002549cee9b41cebdf470d84324a Mon Sep 17 00:00:00 2001 From: Kunal Dawar Date: Tue, 22 Oct 2024 13:47:46 +0530 Subject: [PATCH 3/6] Fix pipeline --- .github/workflows/rl-scanner.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index f58163d4..06fd47f9 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -13,8 +13,6 @@ on: jobs: checkout-build-scan-only: - if: github.event_name == 'workflow_dispatch' || - (github.event_name == 'pull_request' && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest permissions: From 2383604985c02aee5a1bdd9a358a337235d23c3e Mon Sep 17 00:00:00 2001 From: Kunal Dawar Date: Tue, 22 Oct 2024 13:50:32 +0530 Subject: [PATCH 4/6] Fix pipeline --- .github/workflows/rl-scanner.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 06fd47f9..f58163d4 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -13,6 +13,8 @@ on: jobs: checkout-build-scan-only: + if: github.event_name == 'workflow_dispatch' || + (github.event_name == 'pull_request' && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest permissions: From c7aec0db54fb001695fe22eed6af78e3021b141c Mon Sep 17 00:00:00 2001 From: Kunal Dawar Date: Tue, 29 Oct 2024 16:26:07 +0530 Subject: [PATCH 5/6] Updated Flow --- .github/actions/rl-scanner/action.yml | 71 +++++++++++++++++++++++++++ .github/workflows/publish.yml | 14 +++++- .github/workflows/rl-scanner.yml | 66 +++++++++++++------------ 3 files changed, 119 insertions(+), 32 deletions(-) create mode 100644 .github/actions/rl-scanner/action.yml diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml new file mode 100644 index 00000000..03c378a0 --- /dev/null +++ b/.github/actions/rl-scanner/action.yml @@ -0,0 +1,71 @@ +name: "Reversing Labs Scanner" +description: "Runs the Reversing Labs scanner on a specified artifact." +inputs: + artifact-path: + description: "Path to the artifact to be scanned." + required: true + version: + description: "Version of the artifact." + required: true + +runs: + using: "composite" + steps: + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: "3.10" + + - name: Install Python dependencies + shell: bash + run: | + pip install boto3 requests + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }} + aws-region: us-east-1 + mask-aws-account-id: true + + - name: Install RL Wrapper + shell: bash + run: | + pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" + + - name: Run RL Scanner + shell: bash + env: + RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }} + PYTHONUNBUFFERED: 1 + run: | + if [ ! -f "${{ inputs.artifact-path }}" ]; then + echo "Artifact not found: ${{ inputs.artifact-path }}" + exit 1 + fi + + rl-wrapper \ + --artifact "${{ inputs.artifact-path }}" \ + --name "${{ github.event.repository.name }}" \ + --version "${{ inputs.version }}" \ + --repository "${{ github.repository }}" \ + --commit "${{ github.sha }}" \ + --build-env "github_actions" \ + --suppress_output + + # Check the outcome of the scanner + if [ $? -ne 0 ]; then + echo "RL Scanner failed." + echo "scan-status=failed" >> $GITHUB_ENV + exit 1 + else + echo "RL Scanner passed." + echo "scan-status=success" >> $GITHUB_ENV + fi + +outputs: + scan-status: + description: "The outcome of the scan process." + value: ${{ env.scan-status }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 323b07ce..52be6a1f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -11,6 +11,18 @@ permissions: id-token: write # Required for trusted publishing to PyPI jobs: + rl-scanner: + uses: ./.github/workflows/rl-scanner.yml + with: + node-version: 18 + artifact-name: "auth0-python.tgz" + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} publish-pypi: if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) name: "PyPI" @@ -23,7 +35,7 @@ jobs: with: fetch-depth: 0 fetch-tags: true - + # Get the version from the branch name - id: get_version uses: ./.github/actions/get-version diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index f58163d4..1f4401d7 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -1,20 +1,31 @@ name: RL-Secure Workflow -run-name: rl-scanner-only +name: RL-Secure Workflow on: - merge_group: - workflow_dispatch: - push: - branches: ["main"] - pull_request: - types: - - opened - - synchronize + workflow_call: + inputs: + python-version: + required: true + type: string + artifact-name: + required: true + type: string + secrets: + RLSECURE_LICENSE: + required: true + RLSECURE_SITE_KEY: + required: true + SIGNAL_HANDLER_TOKEN: + required: true + PRODSEC_TOOLS_USER: + required: true + PRODSEC_TOOLS_TOKEN: + required: true + PRODSEC_TOOLS_ARN: + required: true jobs: checkout-build-scan-only: - if: github.event_name == 'workflow_dispatch' || - (github.event_name == 'pull_request' && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest permissions: @@ -30,7 +41,7 @@ jobs: - name: Configure Python uses: actions/setup-python@v5 with: - python-version: "3.10" + python-version: ${{ inputs.python-version }} - name: Configure dependencies run: | @@ -50,32 +61,25 @@ jobs: - name: Create tgz build artifact run: | - tar -czvf auth0-python.tgz * + tar -czvf ${{ inputs.artifact-name }} * - name: Get Artifact Version id: get_version run: echo "version=$(cat .version)" >> $GITHUB_ENV - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + - name: Run RL Scanner + id: rl-scan-conclusion + uses: ./.github/actions/rl-scanner with: - role-to-assume: ${{ secrets.PRODSEC_TOOLS_ARN }} - aws-region: us-east-1 - mask-aws-account-id: true - - - name: Run Reversing Labs Wrapper Scanner + artifact-path: "$(pwd)/${{ inputs.artifact-name }}" + version: "${{ steps.get_version.outputs.version }}" env: RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} - WRAPPER_INDEX_URL: "https://${{ secrets.PRODSEC_TOOLS_USER }}:${{ secrets.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" - PYTHONUNBUFFERED: 1 - run: | - pip install rl-wrapper --index-url $WRAPPER_INDEX_URL && \ - rl-wrapper \ - --artifact "$(pwd)/auth0-python.tgz" \ - --name "${{ github.event.repository.name }}" \ - --version "${{ steps.get_version.outputs.version }}" \ - --repository "${{ github.repository }}" \ - --commit "${{ github.sha }}" \ - --build-env "github_action" + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + + - name: Output scan result + run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV From 13e7538c56c6986a95eb6f357a8334d96246bfed Mon Sep 17 00:00:00 2001 From: Kunal Dawar Date: Tue, 29 Oct 2024 16:29:55 +0530 Subject: [PATCH 6/6] Updated Flow --- .github/workflows/publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 52be6a1f..365790ab 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -27,6 +27,7 @@ jobs: if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) name: "PyPI" runs-on: ubuntu-latest + needs: rl-scanner environment: release steps: